Shlayer Malware targets MacOs

A new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine.

Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners.

Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.

A new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.

Fortunately, it seems that ZShlayer infections are currently isolated to users who have downloaded illicit software outside of Apple’s official App Store ecosystem.

Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.

Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019.

The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.

Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.

MacOS macros in to spotlight

Building successful macro attacks means getting past several layers of security, but a Black Hat speaker found a way through.
Microsoft Office is no stranger to vulnerabilities and exploits.

Most of those vulnerabilities led from Microsoft Office to Microsoft Windows, but it’s possible for an attacker to take an exploit path from Microsoft Office to macOS .

The Human Error

In most of the macro-based attacks, human intervention on the part of the victim is required at least once, and usually twice, Wardle said. First, the victim must click on an email attachment or malicious link in order to download and open the infected document. Next, in most cases macros will not run on a system by default — they must be given explicit permission to run by the user.

Most macro-based attacks have two stages, Wardle explained. In the first — the stage given explicit permission to run by the victim — code executes that checks the system status, checks for the presence of anti-malware software, and then downloads the second stage. It’s the second stage payload that contains the “working” code of the attack, whether it’s skimming credentials, creating a bot, or encrypting the system’s data as part of a ransomware scheme.

Out of the (Sand)box

Modern malware writers have an additional hurdle to overcome. Microsoft Office now executes all macros in a “sandbox,” a walled-off environment within the operating system that prevents code from gaining persistence or interacting with the system as a whole. The goal for malware writers is breaking out of the sandbox.

Researchers found ways to include SYLK files and XLM code that make macros execute whether or not they’re invoked or allowed. They still run within the sandbox. Wardle showed that it’s possible to create files through a macro — files that can be placed outside the macro and can be built to auto execute on system boot. That combination is the key to persistence, one of the golden tickets that attackers pursue in any campaign.

What kind of files can fit the twin bill?

A ZIP file, dropped into the proper subdirectory, will be invoked automatically. While the latest macOS endpoint security framework should detect such a file’s creation, Wardle said that there’s room for research here